Multiple holes in Cacti spiked
Security researchers in Italy have discovered multiple security vulnerabilities in the Cacti open source network stats program. These have now been fixed and an updated version has been issued. The vulnerabilities could be exploited by attackers to carry out SQL injection or cross-site scripting attacks.
A number of scripts fail to check arguments passed to them, allowing attackers to send commands to the underlying MySQL database to read or manipulate content. The security advisory lists the files graph_view.php
(graph_list
parameter), tree.php
(leaf_id
parameter), graph_xport.php
(local_graph_id
parameter), tree.php
(id
parameter) and index.php/login
(login_username
parameter) as being vulnerable to injection of SQL commands.
Cross-site scripting is apparently possible in the files graph.php
(view_type
parameter), graph_view.php
(filter
parameter) and index.php/login
(action
and login_username
parameters). The local_graph_id
parameter in graph.php
also allows attackers to read the path to Cacti.
The bugs are present in Cacti versions 0.8.7a and earlier. The development team has now released versions 0.8.7b and 0.8.6k in which the vulnerabilities are fixed. Cacti users should download and install the updated version without delay.
See also:
- Multiple Vulnerabilities in Cacti, security advisory from Francesco "ascii" Ongaro and Antonio "s4tan" Parata
- The latest version of Cacti
- Changelog, summary of changes in Cacti
(mba)